/* BEGIN_HEADER */
#include "mbedtls/ccm.h"

/* Use the multipart interface to process the encrypted data in two parts
 * and check that the output matches the expected output.
 * The context must have been set up with the key. */
static int check_multipart(mbedtls_ccm_context *ctx,
                           int mode,
                           const data_t *iv,
                           const data_t *add,
                           const data_t *input,
                           const data_t *expected_output,
                           const data_t *tag,
                           size_t n1,
                           size_t n1_add)
{
    int ok = 0;
    uint8_t *output = NULL;
    size_t n2 = input->len - n1;
    size_t n2_add = add->len - n1_add;
    size_t olen;

    /* Sanity checks on the test data */
    TEST_ASSERT(n1 <= input->len);
    TEST_ASSERT(n1_add <= add->len);
    TEST_EQUAL(input->len, expected_output->len);
    TEST_EQUAL(0, mbedtls_ccm_starts(ctx, mode, iv->x, iv->len));
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(ctx, add->len, input->len, tag->len));
    TEST_EQUAL(0, mbedtls_ccm_update_ad(ctx, add->x, n1_add));
    TEST_EQUAL(0, mbedtls_ccm_update_ad(ctx, add->x + n1_add, n2_add));

    /* Allocate a tight buffer for each update call. This way, if the function
     * tries to write beyond the advertised required buffer size, this will
     * count as an overflow for memory sanitizers and static checkers. */
    ASSERT_ALLOC(output, n1);
    olen = 0xdeadbeef;
    TEST_EQUAL(0, mbedtls_ccm_update(ctx, input->x, n1, output, n1, &olen));
    TEST_EQUAL(n1, olen);
    ASSERT_COMPARE(output, olen, expected_output->x, n1);
    mbedtls_free(output);
    output = NULL;

    ASSERT_ALLOC(output, n2);
    olen = 0xdeadbeef;
    TEST_EQUAL(0, mbedtls_ccm_update(ctx, input->x + n1, n2, output, n2, &olen));
    TEST_EQUAL(n2, olen);
    ASSERT_COMPARE(output, olen, expected_output->x + n1, n2);
    mbedtls_free(output);
    output = NULL;

    ASSERT_ALLOC(output, tag->len);
    TEST_EQUAL(0, mbedtls_ccm_finish(ctx, output, tag->len));
    ASSERT_COMPARE(output, tag->len, tag->x, tag->len);
    mbedtls_free(output);
    output = NULL;

    ok = 1;
exit:
    mbedtls_free(output);
    return ok;
}
/* END_HEADER */

/* BEGIN_DEPENDENCIES
 * depends_on:MBEDTLS_CCM_C
 * END_DEPENDENCIES
 */

/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_AES_C */
void mbedtls_ccm_self_test()
{
    TEST_ASSERT(mbedtls_ccm_self_test(1) == 0);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ccm_setkey(int cipher_id, int key_size, int result)
{
    mbedtls_ccm_context ctx;
    unsigned char key[32];
    int ret;

    mbedtls_ccm_init(&ctx);

    memset(key, 0x2A, sizeof(key));
    TEST_ASSERT((unsigned) key_size <= 8 * sizeof(key));

    ret = mbedtls_ccm_setkey(&ctx, cipher_id, key, key_size);
    TEST_ASSERT(ret == result);

exit:
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
void ccm_lengths(int msg_len, int iv_len, int add_len, int tag_len, int res)
{
    mbedtls_ccm_context ctx;
    unsigned char key[16];
    unsigned char msg[10];
    unsigned char iv[14];
    unsigned char *add = NULL;
    unsigned char out[10];
    unsigned char tag[18];
    int decrypt_ret;

    mbedtls_ccm_init(&ctx);

    ASSERT_ALLOC_WEAK(add, add_len);
    memset(key, 0, sizeof(key));
    memset(msg, 0, sizeof(msg));
    memset(iv, 0, sizeof(iv));
    memset(out, 0, sizeof(out));
    memset(tag, 0, sizeof(tag));

    TEST_ASSERT(mbedtls_ccm_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
                                   key, 8 * sizeof(key)) == 0);

    TEST_ASSERT(mbedtls_ccm_encrypt_and_tag(&ctx, msg_len, iv, iv_len, add, add_len,
                                            msg, out, tag, tag_len) == res);

    decrypt_ret = mbedtls_ccm_auth_decrypt(&ctx, msg_len, iv, iv_len, add, add_len,
                                           msg, out, tag, tag_len);

    if (res == 0) {
        TEST_ASSERT(decrypt_ret == MBEDTLS_ERR_CCM_AUTH_FAILED);
    } else {
        TEST_ASSERT(decrypt_ret == res);
    }

exit:
    mbedtls_free(add);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
void ccm_star_lengths(int msg_len, int iv_len, int add_len, int tag_len,
                      int res)
{
    mbedtls_ccm_context ctx;
    unsigned char key[16];
    unsigned char msg[10];
    unsigned char iv[14];
    unsigned char add[10];
    unsigned char out[10];
    unsigned char tag[18];
    int decrypt_ret;

    mbedtls_ccm_init(&ctx);

    memset(key, 0, sizeof(key));
    memset(msg, 0, sizeof(msg));
    memset(iv, 0, sizeof(iv));
    memset(add, 0, sizeof(add));
    memset(out, 0, sizeof(out));
    memset(tag, 0, sizeof(tag));

    TEST_ASSERT(mbedtls_ccm_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
                                   key, 8 * sizeof(key)) == 0);

    TEST_ASSERT(mbedtls_ccm_star_encrypt_and_tag(&ctx, msg_len, iv, iv_len,
                                                 add, add_len, msg, out, tag, tag_len) == res);

    decrypt_ret = mbedtls_ccm_star_auth_decrypt(&ctx, msg_len, iv, iv_len, add,
                                                add_len, msg, out, tag, tag_len);

    if (res == 0 && tag_len != 0) {
        TEST_ASSERT(decrypt_ret == MBEDTLS_ERR_CCM_AUTH_FAILED);
    } else {
        TEST_ASSERT(decrypt_ret == res);
    }

exit:
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ccm_encrypt_and_tag(int cipher_id, data_t *key,
                                 data_t *msg, data_t *iv,
                                 data_t *add, data_t *result)
{
    mbedtls_ccm_context ctx;
    size_t n1, n1_add;
    uint8_t *io_msg_buf = NULL;
    uint8_t *tag_buf = NULL;
    const size_t expected_tag_len = result->len - msg->len;
    const uint8_t *expected_tag = result->x + msg->len;

    /* Prepare input/output message buffer */
    ASSERT_ALLOC(io_msg_buf, msg->len);
    if (msg->len != 0) {
        memcpy(io_msg_buf, msg->x, msg->len);
    }

    /* Prepare tag buffer */
    ASSERT_ALLOC(tag_buf, expected_tag_len);

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    /* Test with input == output */
    TEST_EQUAL(mbedtls_ccm_encrypt_and_tag(&ctx, msg->len, iv->x, iv->len, add->x, add->len,
                                           io_msg_buf, io_msg_buf, tag_buf, expected_tag_len), 0);

    ASSERT_COMPARE(io_msg_buf, msg->len, result->x, msg->len);
    ASSERT_COMPARE(tag_buf, expected_tag_len, expected_tag, expected_tag_len);

    /* Prepare data_t structures for multipart testing */
    const data_t encrypted_expected = { .x = result->x,
                                        .len = msg->len };
    const data_t tag_expected = { .x = (uint8_t *) expected_tag, /* cast to conform with data_t x type */
                                  .len = expected_tag_len };

    for (n1 = 0; n1 <= msg->len; n1 += 1) {
        for (n1_add = 0; n1_add <= add->len; n1_add += 1) {
            mbedtls_test_set_step(n1 * 10000 + n1_add);
            if (!check_multipart(&ctx, MBEDTLS_CCM_ENCRYPT,
                                 iv, add, msg,
                                 &encrypted_expected,
                                 &tag_expected,
                                 n1, n1_add)) {
                goto exit;
            }
        }
    }

exit:
    mbedtls_ccm_free(&ctx);
    mbedtls_free(io_msg_buf);
    mbedtls_free(tag_buf);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ccm_star_no_tag(int cipher_id, int mode, data_t *key,
                             data_t *msg, data_t *iv, data_t *result)
{
    mbedtls_ccm_context ctx;
    uint8_t *output = NULL;
    size_t olen;

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, 0, msg->len, 0));

    ASSERT_ALLOC(output, msg->len);
    TEST_EQUAL(0, mbedtls_ccm_update(&ctx, msg->x, msg->len, output, msg->len, &olen));
    TEST_EQUAL(result->len, olen);
    ASSERT_COMPARE(output, olen, result->x, result->len);

    TEST_EQUAL(0, mbedtls_ccm_finish(&ctx, NULL, 0));
exit:
    mbedtls_free(output);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ccm_auth_decrypt(int cipher_id, data_t *key,
                              data_t *msg, data_t *iv,
                              data_t *add, int expected_tag_len, int result,
                              data_t *expected_msg)
{
    mbedtls_ccm_context ctx;
    size_t n1, n1_add;

    const size_t expected_msg_len = msg->len - expected_tag_len;
    const uint8_t *expected_tag = msg->x + expected_msg_len;

    /* Prepare input/output message buffer */
    uint8_t *io_msg_buf = NULL;
    ASSERT_ALLOC(io_msg_buf, expected_msg_len);
    if (expected_msg_len) {
        memcpy(io_msg_buf, msg->x, expected_msg_len);
    }

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    /* Test with input == output */
    TEST_EQUAL(mbedtls_ccm_auth_decrypt(&ctx, expected_msg_len, iv->x, iv->len, add->x, add->len,
                                        io_msg_buf, io_msg_buf, expected_tag, expected_tag_len),
               result);

    if (result == 0) {
        ASSERT_COMPARE(io_msg_buf, expected_msg_len, expected_msg->x, expected_msg_len);

        /* Prepare data_t structures for multipart testing */
        const data_t encrypted = { .x = msg->x,
                                   .len = expected_msg_len };

        const data_t tag_expected = { .x = (uint8_t *) expected_tag,
                                      .len = expected_tag_len };

        for (n1 = 0; n1 <= expected_msg_len; n1 += 1) {
            for (n1_add = 0; n1_add <= add->len; n1_add += 1) {
                mbedtls_test_set_step(n1 * 10000 + n1_add);
                if (!check_multipart(&ctx, MBEDTLS_CCM_DECRYPT,
                                     iv, add, &encrypted,
                                     expected_msg,
                                     &tag_expected,
                                     n1, n1_add)) {
                    goto exit;
                }
            }
        }
    } else {
        size_t i;

        for (i = 0; i < expected_msg_len; i++) {
            TEST_EQUAL(io_msg_buf[i], 0);
        }
    }

exit:
    mbedtls_free(io_msg_buf);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ccm_star_encrypt_and_tag(int cipher_id,
                                      data_t *key, data_t *msg,
                                      data_t *source_address, data_t *frame_counter,
                                      int sec_level, data_t *add,
                                      data_t *expected_result, int output_ret)
{
    unsigned char iv[13];
    mbedtls_ccm_context ctx;
    size_t iv_len, expected_tag_len;
    size_t n1, n1_add;
    uint8_t *io_msg_buf = NULL;
    uint8_t *tag_buf = NULL;

    const uint8_t *expected_tag = expected_result->x + msg->len;

    /* Calculate tag length */
    if (sec_level % 4 == 0) {
        expected_tag_len = 0;
    } else {
        expected_tag_len = 1 << (sec_level % 4 + 1);
    }

    /* Prepare input/output message buffer */
    ASSERT_ALLOC(io_msg_buf, msg->len);
    if (msg->len) {
        memcpy(io_msg_buf, msg->x, msg->len);
    }

    /* Prepare tag buffer */
    if (expected_tag_len == 0) {
        ASSERT_ALLOC(tag_buf, 16);
    } else {
        ASSERT_ALLOC(tag_buf, expected_tag_len);
    }

    /* Calculate iv */
    TEST_ASSERT(source_address->len == 8);
    TEST_ASSERT(frame_counter->len == 4);
    memcpy(iv, source_address->x, source_address->len);
    memcpy(iv + source_address->len, frame_counter->x, frame_counter->len);
    iv[source_address->len + frame_counter->len] = sec_level;
    iv_len = sizeof(iv);

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id,
                                  key->x, key->len * 8), 0);
    /* Test with input == output */
    TEST_EQUAL(mbedtls_ccm_star_encrypt_and_tag(&ctx, msg->len, iv, iv_len,
                                                add->x, add->len, io_msg_buf,
                                                io_msg_buf, tag_buf, expected_tag_len), output_ret);

    ASSERT_COMPARE(io_msg_buf, msg->len, expected_result->x, msg->len);
    ASSERT_COMPARE(tag_buf, expected_tag_len, expected_tag, expected_tag_len);

    if (output_ret == 0) {
        const data_t iv_data = { .x = iv,
                                 .len = iv_len };

        const data_t encrypted_expected = { .x = expected_result->x,
                                            .len = msg->len };
        const data_t tag_expected = { .x = (uint8_t *) expected_tag,
                                      .len = expected_tag_len };

        for (n1 = 0; n1 <= msg->len; n1 += 1) {
            for (n1_add = 0; n1_add <= add->len; n1_add += 1) {
                mbedtls_test_set_step(n1 * 10000 + n1_add);
                if (!check_multipart(&ctx, MBEDTLS_CCM_STAR_ENCRYPT,
                                     &iv_data, add, msg,
                                     &encrypted_expected,
                                     &tag_expected,
                                     n1, n1_add)) {
                    goto exit;
                }
            }
        }
    }

exit:
    mbedtls_ccm_free(&ctx);
    mbedtls_free(io_msg_buf);
    mbedtls_free(tag_buf);
}
/* END_CASE */

/* BEGIN_CASE */
void mbedtls_ccm_star_auth_decrypt(int cipher_id,
                                   data_t *key, data_t *msg,
                                   data_t *source_address, data_t *frame_counter,
                                   int sec_level, data_t *add,
                                   data_t *expected_result, int output_ret)
{
    unsigned char iv[13];
    mbedtls_ccm_context ctx;
    size_t iv_len, expected_tag_len;
    size_t n1, n1_add;

    /* Calculate tag length */
    if (sec_level % 4 == 0) {
        expected_tag_len = 0;
    } else {
        expected_tag_len = 1 << (sec_level % 4 + 1);
    }

    const size_t expected_msg_len = msg->len - expected_tag_len;
    const uint8_t *expected_tag = msg->x + expected_msg_len;

    /* Prepare input/output message buffer */
    uint8_t *io_msg_buf = NULL;
    ASSERT_ALLOC(io_msg_buf, expected_msg_len);
    if (expected_msg_len) {
        memcpy(io_msg_buf, msg->x, expected_msg_len);
    }

    /* Calculate iv */
    memset(iv, 0x00, sizeof(iv));
    TEST_ASSERT(source_address->len == 8);
    TEST_ASSERT(frame_counter->len == 4);
    memcpy(iv, source_address->x, source_address->len);
    memcpy(iv + source_address->len, frame_counter->x, frame_counter->len);
    iv[source_address->len + frame_counter->len] = sec_level;
    iv_len = sizeof(iv);

    mbedtls_ccm_init(&ctx);
    TEST_ASSERT(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8) == 0);
    /* Test with input == output */
    TEST_EQUAL(mbedtls_ccm_star_auth_decrypt(&ctx, expected_msg_len, iv, iv_len,
                                             add->x, add->len, io_msg_buf, io_msg_buf,
                                             expected_tag, expected_tag_len), output_ret);

    ASSERT_COMPARE(io_msg_buf, expected_msg_len, expected_result->x, expected_msg_len);

    if (output_ret == 0) {
        const data_t iv_data = { .x = iv,
                                 .len = iv_len };

        const data_t encrypted = { .x = msg->x,
                                   .len = expected_msg_len };

        const data_t tag_expected = { .x = (uint8_t *) expected_tag,
                                      .len = expected_tag_len };

        for (n1 = 0; n1 <= expected_msg_len; n1 += 1) {
            for (n1_add = 0; n1_add <= add->len; n1_add += 1) {
                mbedtls_test_set_step(n1 * 10000 + n1_add);
                if (!check_multipart(&ctx, MBEDTLS_CCM_STAR_DECRYPT,
                                     &iv_data, add, &encrypted,
                                     expected_result,
                                     &tag_expected,
                                     n1, n1_add)) {
                    goto exit;
                }
            }
        }
    }

exit:
    mbedtls_ccm_free(&ctx);
    mbedtls_free(io_msg_buf);
}
/* END_CASE */

/* Skip auth data, provide full text */
/* BEGIN_CASE */
void mbedtls_ccm_skip_ad(int cipher_id, int mode,
                         data_t *key, data_t *msg, data_t *iv,
                         data_t *result, data_t *tag)
{
    mbedtls_ccm_context ctx;
    uint8_t *output = NULL;
    size_t olen;

    /* Sanity checks on the test data */
    TEST_EQUAL(msg->len, result->len);

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, 0, msg->len, tag->len));

    ASSERT_ALLOC(output, result->len);
    olen = 0xdeadbeef;
    TEST_EQUAL(0, mbedtls_ccm_update(&ctx, msg->x, msg->len, output, result->len, &olen));
    TEST_EQUAL(result->len, olen);
    ASSERT_COMPARE(output, olen, result->x, result->len);
    mbedtls_free(output);
    output = NULL;

    ASSERT_ALLOC(output, tag->len);
    TEST_EQUAL(0, mbedtls_ccm_finish(&ctx, output, tag->len));
    ASSERT_COMPARE(output, tag->len, tag->x, tag->len);
    mbedtls_free(output);
    output = NULL;

exit:
    mbedtls_free(output);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Provide auth data, skip full text */
/* BEGIN_CASE */
void mbedtls_ccm_skip_update(int cipher_id, int mode,
                             data_t *key, data_t *iv, data_t *add,
                             data_t *tag)
{
    mbedtls_ccm_context ctx;
    uint8_t *output = NULL;

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, 0, tag->len));

    TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len));

    ASSERT_ALLOC(output, tag->len);
    TEST_EQUAL(0, mbedtls_ccm_finish(&ctx, output, tag->len));
    ASSERT_COMPARE(output, tag->len, tag->x, tag->len);
    mbedtls_free(output);
    output = NULL;

exit:
    mbedtls_free(output);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Provide too much auth data */
/* BEGIN_CASE */
void mbedtls_ccm_overflow_ad(int cipher_id, int mode,
                             data_t *key, data_t *iv,
                             data_t *add)
{
    mbedtls_ccm_context ctx;

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    // use hardcoded values for msg length and tag length. They are not a part of this test
    // subtract 1 from configured auth data length to provoke an overflow
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len - 1, 16, 16));

    TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add->x, add->len));
exit:
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Provide unexpected auth data */
/* BEGIN_CASE */
void mbedtls_ccm_unexpected_ad(int cipher_id, int mode,
                               data_t *key, data_t *iv,
                               data_t *add)
{
    mbedtls_ccm_context ctx;

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    // use hardcoded values for msg length and tag length. They are not a part of this test
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, 0, 16, 16));

    TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add->x, add->len));
exit:
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Provide unexpected plaintext/ciphertext data */
/* BEGIN_CASE */
void mbedtls_ccm_unexpected_text(int cipher_id, int mode,
                                 data_t *key, data_t *msg, data_t *iv,
                                 data_t *add)
{
    mbedtls_ccm_context ctx;
    uint8_t *output = NULL;
    size_t olen;

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    // use hardcoded value for tag length. It is not a part of this test
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, 0, 16));

    TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len));

    ASSERT_ALLOC(output, msg->len);
    olen = 0xdeadbeef;
    TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT,
               mbedtls_ccm_update(&ctx, msg->x, msg->len, output, msg->len, &olen));
exit:
    mbedtls_free(output);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Provide incomplete auth data and finish */
/* BEGIN_CASE */
void mbedtls_ccm_incomplete_ad(int cipher_id, int mode,
                               data_t *key, data_t *iv, data_t *add)
{
    mbedtls_ccm_context ctx;
    uint8_t *output = NULL;

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    // use hardcoded values for msg length and tag length. They are not a part of this test
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, 0, 16));

    TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len - 1));

    ASSERT_ALLOC(output, 16);
    TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish(&ctx, output, 16));

exit:
    mbedtls_free(output);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Provide complete auth data on first update_ad.
 * Provide unexpected auth data on second update_ad */
/* BEGIN_CASE */
void mbedtls_ccm_full_ad_and_overflow(int cipher_id, int mode,
                                      data_t *key, data_t *iv,
                                      data_t *add)
{
    mbedtls_ccm_context ctx;

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    // use hardcoded values for msg length and tag length. They are not a part of this test
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, 16, 16));

    // pass full auth data
    TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len));
    // pass 1 extra byte
    TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add->x, 1));
exit:
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Provide incomplete auth data on first update_ad.
 * Provide too much auth data on second update_ad */
/* BEGIN_CASE */
void mbedtls_ccm_incomplete_ad_and_overflow(int cipher_id, int mode,
                                            data_t *key, data_t *iv,
                                            data_t *add)
{
    mbedtls_ccm_context ctx;
    uint8_t add_second_buffer[2];

    add_second_buffer[0] = add->x[add->len - 1];
    add_second_buffer[1] = 0xAB; // some magic value

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    // use hardcoded values for msg length and tag length. They are not a part of this test
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, 16, 16));

    // pass incomplete auth data
    TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len - 1));
    // pass 2 extra bytes (1 missing byte from previous incomplete pass, and 1 unexpected byte)
    TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add_second_buffer, 2));
exit:
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Provide too much plaintext/ciphertext */
/* BEGIN_CASE */
void mbedtls_ccm_overflow_update(int cipher_id, int mode,
                                 data_t *key, data_t *msg, data_t *iv,
                                 data_t *add)
{
    mbedtls_ccm_context ctx;
    uint8_t *output = NULL;
    size_t olen;

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    // use hardcoded value for tag length. It is a not a part of this test
    // subtract 1 from configured msg length to provoke an overflow
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, msg->len - 1, 16));

    TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len));

    ASSERT_ALLOC(output, msg->len);
    TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, \
               mbedtls_ccm_update(&ctx, msg->x, msg->len, output, msg->len, &olen));
exit:
    mbedtls_free(output);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Provide incomplete plaintext/ciphertext and finish */
/* BEGIN_CASE */
void mbedtls_ccm_incomplete_update(int cipher_id, int mode,
                                   data_t *key, data_t *msg, data_t *iv,
                                   data_t *add)
{
    mbedtls_ccm_context ctx;
    uint8_t *output = NULL;
    size_t olen;

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    // use hardcoded value for tag length. It is not a part of this test
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, msg->len, 16));

    TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len));

    ASSERT_ALLOC(output, msg->len);
    olen = 0xdeadbeef;
    TEST_EQUAL(0, mbedtls_ccm_update(&ctx, msg->x, msg->len - 1, output, msg->len, &olen));
    mbedtls_free(output);
    output = NULL;

    ASSERT_ALLOC(output, 16);
    TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish(&ctx, output, 16));

exit:
    mbedtls_free(output);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Provide full plaintext/ciphertext of first update
 * Provide unexpected plaintext/ciphertext on second update */
/* BEGIN_CASE */
void mbedtls_ccm_full_update_and_overflow(int cipher_id, int mode,
                                          data_t *key, data_t *msg, data_t *iv,
                                          data_t *add)
{
    mbedtls_ccm_context ctx;
    uint8_t *output = NULL;
    size_t olen;

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    // use hardcoded value for tag length. It is a not a part of this test
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, msg->len, 16));

    TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len));

    ASSERT_ALLOC(output, msg->len);
    // pass full text
    TEST_EQUAL(0, mbedtls_ccm_update(&ctx, msg->x, msg->len, output, msg->len, &olen));
    // pass 1 extra byte
    TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, \
               mbedtls_ccm_update(&ctx, msg->x, 1, output, 1, &olen));
exit:
    mbedtls_free(output);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Provide incomplete plaintext/ciphertext of first update
 * Provide too much plaintext/ciphertext on second update */
/* BEGIN_CASE */
void mbedtls_ccm_incomplete_update_overflow(int cipher_id, int mode,
                                            data_t *key, data_t *msg, data_t *iv,
                                            data_t *add)
{
    mbedtls_ccm_context ctx;
    uint8_t *output = NULL;
    size_t olen;
    uint8_t msg_second_buffer[2];

    msg_second_buffer[0] = msg->x[msg->len - 1];
    msg_second_buffer[1] = 0xAB; // some magic value

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    // use hardcoded value for tag length. It is a not a part of this test
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, msg->len, 16));

    TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len));

    ASSERT_ALLOC(output, msg->len + 1);
    // pass incomplete text
    TEST_EQUAL(0, mbedtls_ccm_update(&ctx, msg->x, msg->len - 1, output, msg->len + 1, &olen));
    // pass 2 extra bytes (1 missing byte from previous incomplete pass, and 1 unexpected byte)
    TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, \
               mbedtls_ccm_update(&ctx, msg_second_buffer, 2, output +  msg->len - 1, 2, &olen));
exit:
    mbedtls_free(output);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */

/* Finish without passing any auth data or plaintext/ciphertext input */
/* BEGIN_CASE */
void mbedtls_ccm_instant_finish(int cipher_id, int mode,
                                data_t *key, data_t *iv)
{
    mbedtls_ccm_context ctx;
    uint8_t *output = NULL;

    mbedtls_ccm_init(&ctx);
    TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
    TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
    // use hardcoded values for add length, msg length and tag length.
    // They are not a part of this test
    TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, 16, 16, 16));

    ASSERT_ALLOC(output, 16);
    TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish(&ctx, output, 16));

exit:
    mbedtls_free(output);
    mbedtls_ccm_free(&ctx);
}
/* END_CASE */
